Skip to main content

NI grpc-device EUVDEUVD-2026-38030

| CVE-2026-9142 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-19 NI
9.3
CVSS 4.0 · Vendor: NI
Share

Severity by source

Vendor (NI) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable gRPC service with no auth when misconfigured gives AV:N/AC:L/PR:N/UI:N; instrument read/write yields C:H/I:H, but no availability impact is described so A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (NI).

CVSS VectorVendor: NI

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 19, 2026 - 14:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 19, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 19, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 19, 2026 - 14:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 19, 2026 - 14:19 vuln.today

DescriptionCVE.org

There is an insecure default credentials vulnerability in NI grpc-device when TLS configuration is not present and the server is bound beyond loopback.  This may allow an unauthenticated user access to the server on the local network.  This affects NI grpc-device 2.17.0 and prior versions.

AnalysisAI

Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan LAN for exposed grpc-device port
Delivery
Open unauthenticated gRPC channel
Exploit
Invoke driver RPCs without credentials
Execution
Read or modify instrument state
Impact
Manipulate test results or hardware output

Vulnerability AssessmentAI

Exploitation The grpc-device server must be started without TLS configuration AND bound to an interface beyond loopback (e.g., 0.0.0.0 or a specific LAN IP), which is a non-default but operationally common posture when remote test controllers need to reach instruments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) realistically captures the worst case: an attacker with LAN reachability and no credentials can read and manipulate instrument state, but availability impact is rated N, consistent with a control-plane abuse rather than a crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same factory-floor or lab network scans for the grpc-device port on hosts that have been bound to 0.0.0.0 without TLS, opens an unauthenticated gRPC channel, and issues driver calls to read live measurements or reconfigure instruments - for example altering DAQ output voltages or VISA session settings. No public exploit identified at time of analysis, but the CVSS 4.0 AV:N/AC:L/PR:N profile means a generic gRPC client plus the public .proto definitions from the ni/grpc-device repository is sufficient to interact with the service.
Remediation Patch available per vendor advisory - consult the NI security bulletin at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/multiple-vulnerabilities-in-ni-grpc-device-server.html and the GitHub Security Advisory GHSA-fhhw-37q8-6562 for the fixed grpc-device build; an exact fixed version was not provided in the input data, so verify the target release on the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all NI grpc-device instances at version 2.17.0 or earlier; verify TLS configuration status and network binding; isolate any non-TLS deployments via network segmentation or firewall rules immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy